Method for establishing a secret key  between two nodes in a communication network

ABSTRACT

A method for establishing a secret key between two nodes in a communication network, in particular in a wireless local area network (WLAN), includes concealment of the fact that a key exchange occurs, one of the nodes—first node (B)—broadcasts one or more packets (P i ) that can be received by the other node—second node (A)—, wherein the packets (P i ) contain each a first key (K i ) and wherein the packets (P i ) are each encrypted with a second key (k i ) before being sent, the second node (A) randomly chooses one packet (P m ) from the packets (P i ) received and breaks the encryption of the chosen packet (P m ) in order to obtain the first key (K m ), and the second node (A) initiates a key exchange protocol, wherein the second node (A) encrypts the message to be sent for initiating the key exchange protocol with the revealed key (K m ).

The present invention relates to a method for establishing a secret key between two nodes in a communication network, in particular in a wireless local area network (WLAN).

In order to establish a secret key between two nodes in a communication network key exchange protocols are commonly used. Known key exchange protocols are, for example, the Diffie-Hellman algorithm, in particular Diffie-Hellman on elliptic curves, or RSA based methods. The security of the known methods is based on the application of so-called one-way functions. In this sense, the Diffie-Hellman algorithm uses the fact the raising to a power operation is a very simple computation operation, but that in contrast the computation of the discrete logarithm of a number is only possible with extremely high effort.

After having performed the known methods, the parties A and B involved in the algorithm dispose of a secret key K which only they will know. But in case of the known methods the key exchange itself is not kept secret which can turn out to be disadvantageous in certain environments. The initiating party, for example, when performing the Diffie-Hellman key exchange first has to transmit two values over the insecure medium. In the common notation this is a prime number p, as well as a generator g, on the base of which the shared key K_(DH) can then be computed according to K_(DH)=(g^(a) mod p)^(b) mod p=(g^(b) mod p)^(a) mod p. The variables a and b denominate random numbers chosen by the parties. Only due to the fact of transmitting a message with the values g, p, as well as generally also A=g^(a) mod p over an insecure medium, an attacker intercepting this message can already draw certain conclusions, for example, in the simplest case, the fact that a key agreement is occurring and who is the initiating party.

It is therefore an object of the present invention to improve and further develop a method of the initially described type for establishing a secret key between two nodes in a communication network in such a way that the fact a key exchange is occurring is concealed.

In accordance with the invention, the aforementioned object is accomplished by a method comprising the features of claim 1. According to this claim a method of the initially described type is characterized in

that one of the nodes—first node—broadcasts one or more packets that can be received by the other node—second node—, wherein the packets contain each a first key and wherein the packets are each encrypted with a second key before being sent,

that the second node randomly chooses one packet from the packets received and breaks the encryption of the chosen packet in order to obtain the first key, and

that the second node initiates a key exchange protocol, wherein the second node encrypts the message to be sent for initiating the key exchange protocol with the revealed key.

According to the invention, it has first been recognized that a concealment of the key exchange can overall be achieved by performing a protocol where cryptographic elements (encryption of data) and steganographic elements (making data invisible) are combined with each other. The steganographic element concretely consists in the fact that one of the nodes broadcasts one packet or a multitude of packets, wherein the packets contain each a first key and wherein the packets are each encrypted with a second key before being broadcasted. The packets can be received by a second node which chooses randomly one packet from the received packets. By running a brute force attack, the second node breaks the encryption of the chosen packet and obtains thus the first key which has been transported with the packet. In a next step the revealed key is used by the second node to initiate a key exchange protocol. Concretely, the second node encrypts the message, which has to be sent in order to initiate the key exchange protocol, with the revealed key.

In case of the method according to the invention only encrypted messages are broadcasted over a public medium, for example a public broadcast link, whereby an attacker does not have any possibility to find out that the messages are part of a key exchange protocol or serve to initiate a key exchange protocol. Even if the attacker is able to decrypt a packet, the thus gained information itself, i.e. without that the attacker has to invest (considerable) further efforts, is deemed to be worthless, because the attacker does not know which packet the other node will randomly choose from the multitude of packets.

In order to further increase security, it may be provided that the steganographic element is reinforced by inserting a waiting time of pre-definable duration between the sending of the packet(s) containing the first keys by the first node, and the breaking of the encryption or the initiation of the key exchange by the second node. During this time, the rest of the nodes of the network exchange encrypted messages in the context of their ordinary communication and make it even more difficult for an attacker to find out anything about an occurring key exchange.

In the context of an advantageous embodiment it is provided that the first node stores a list with the first keys sent. When the first node receives the message initiating the key exchange protocol sent by the second node, the first node can go through the list trying to decrypt the message received with one of the stored keys. When the first node has found out the key with which the message initiating the key exchange protocol was encrypted, it can be provided in a next step that the first node employs the found key to encrypt its message of the key exchange protocol from its side. In an alternative embodiment, it may be provided to attach an identifier to the message which can be recovered by the other party but not by an attacker. For this purpose, for example, a random number identifying the respective key used could be employed.

The second keys with which the first node has encrypted the sent packets are designed in an advantageous way as encryptions that are easy to break. The fact that an attacker can easily break a light-weight encryption when the packets are transmitted over a public channel is not relevant in the sense that he does not gain any information in spite of the decryption, because he does not know which packet the second node will choose from the multitude of the sent packets.

Regarding a flexible application of the method, it can be provided that the length of the keys with which the first node encrypts the packets are defined according to the respective security requirements. In a concrete example, a RC5 encryption could be chosen, wherein a RC5 encryption with a key length between 16 and 64 bits is assumed to be appropriate in a multitude of possible applications.

Regarding a simplification, it can be provided that the first key K_(i) that is in each case transported with a packet, and the second key k_(i) used to encrypt the corresponding packet are chosen to be identical.

In the context of a concrete application scenario one of the nodes can, for example, be an access point of a network. The other node can be a node associated with or a node associating with the access point, wherein the described method can run between the access point and the node in the context of the registration of the node at the access point.

Regarding a further increase in security, it can be provided that the packets are broadcasted periodically. This again reinforces the steganographic element, because the procedure is executed independently from the fact whether a new node registers with the network. It is hence impossible for an attacker to find out when a key exchange starts, because the process of sending packets is completely uncoupled from any association procedures of nodes in the network. In order to avoid unnecessary data traffic, in particular when applying to a WLAN, it may be provided that the packets to be sent by the first node are beacons that are sent anyway at regular time intervals of typically 100 milliseconds. In other words, the first key K_(i) to be transported by the packet is integrated in an unused field of the beacon.

Alternatively, it is possible to append the first keys K_(i) to all packets that are sent within the network.

Also in the context of a concrete application scenario it may be provided that the initiated key exchange is a Diffie-Hellman key exchange. Other methods, as for example RSA, can also be envisioned.

There are several ways how to design and further develop the teaching of the present invention in an advantageous way. To this end, it is to be referred to the patent claims subordinate to patent claim 1 on the one hand and to the following explanation of preferred embodiments of the invention by way of example, illustrated by the FIGURE on the other hand. In connection with the explanation of the preferred embodiment of the invention by the aid of the FIGURE, generally preferred embodiments and further developments of the teaching will we explained. In the drawing,

the only FIGURE shows schematically an example of an embodiment of the method according to the invention for establishing a secret key between an access point and an associated node.

The only FIGURE shows—schematically—an example of an embodiment of a method according to the invention on the basis of an access point AP of a wireless local are network and an associated node A.

In a first step the access pint AP generates a multitude of packets P_(i). The packets P_(i) contain each a first key K_(i). The access point AP encrypts each of the packets P_(i) with a second key k_(i) and sends the packets P_(i) encrypted in such a way over the wireless link, so the packets P_(i) can be received by the node A. In the concretely shown embodiment the packets P_(i) are encrypted with the block cipher RC5.

In a next step the node A chooses from the multitude of received packets P_(i) randomly a packet P_(m). By running a brute force attack the node A breaks the encryption of the chosen packet P_(m) to thereby obtain the key K_(m). The brute force attack can be performed with reasonable efforts because the packets P_(i) have been encrypted by the access point AP with a relatively weak encryption.

In a third step the node A uses the found key K_(m) to initiate a key exchange protocol with the access point AP. In the depicted embodiment, the key exchange protocol follows the known Diffie-Hellman algorithm. Specifically, the node A generates in a way known by itself the prime number p, as well as a generator g with 2≦g≦p−2. The node A sends a message which contains the values g, p and A, wherein the value A is to be computed as follows: A=g^(a) mod p. a is a random number chosen by the node A that is not made public. The message with the values g, p, A is transmitted in an encrypted manner, wherein the node A employs the found key K_(m) to encrypt the message.

The access point AP decrypts the message received by the node A, wherein in the shown embodiment, the access point AP has stored a table containing all first keys K_(i) sent with the packets P_(i). The access point AP accesses the table and tests one key after the other until it hits the key K_(m) with which the decryption is successful. Thereupon the access point AP on its part generates a random number b and computes B=g^(b) mod p and sends the value B encrypted with the found key K_(m) to the node A.

Finally, the new key K_(DH) is computed, on the part of the node A according to B^(a) mod p and on the part of the access point AP according to A^(b) mod p, wherein the new key K_(DH) then serves to encrypt the forthcoming data exchange between the node A and the access point AP.

Many modifications and other embodiments of the invention set forth herein will come to mind the one skilled in the art to which the invention pertains having the benefit of the teachings presented in the foregoing description and the associated drawings. Therefore, it is to be understood that the invention is not to be limited to the specific embodiments disclosed and that modifications and other embodiments are intended to be included within the scope of the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation. 

1. Method for establishing a secret key between two nodes in a communication network, in particular in a wireless local area network (WLAN), characterized in that one of the nodes—first node (B)—broadcasts one or more packets (P_(i)) that can be received by the other node—second node (A)—, wherein the packets (P_(i)) contain each a first key (K_(i)) and wherein the packets (P_(i)) are each encrypted with a second key (k_(i)) before being sent, that the second node (A) randomly chooses one packet (P_(m)) from the packets (P_(i)) received and breaks the encryption of the chosen packet (P_(m)) in order to obtain the first key (K_(m)), and that the second node (A) initiates a key exchange protocol, wherein the second node (A) encrypts the message to be sent for initiating the key exchange protocol with the revealed key (K_(m)).
 2. Method according to claim 1, characterized in that between sending the packets (P_(i)) by the first node (B) and breaking the encryption and/or initiating the key exchange by the second node a pre-configurable duration is provided for.
 3. Method according to claim 1, characterized in that the first node (B) stores a list of the sent keys (K_(i)).
 4. Method according to claim 3, characterized in that the first node (B) tests the stored keys (K_(i)) in order to decrypt the message of the second node (A) initiating the key exchange protocol.
 5. Method according to claim 4, characterized in that the first node (B) encrypts its message of the key exchange protocol with the found key (K_(m)).
 6. Method according to claim 1, characterized in that the encryption of the packets (P_(i)) with the second keys (k_(i)) is an encryption that can easily be broken.
 7. Method according to claim 1, characterized in that the length of the second keys (k_(i)) is set according to the respective security requirements.
 8. Method according to claim 1, characterized in that a RC5 encryption is employed for encrypting the packets (P_(i)).
 9. Method according to claim 1, characterized in that the first key (K_(i)) transported with the packet (P_(i)) and the second key (k_(i)) used to encrypt the packet (P_(i)) are chosen to be identical.
 10. Method according to claim 1, characterized in that one of the nodes (A, B) is an access point (AP) of a network, and that the other of the nodes (B, A) is a node associated with said access point (AP).
 11. Method according to claim 1, characterized in that the packets (P_(i)) are sent periodically.
 12. Method according to claim 1, characterized in that the packets (P_(i)) are beacons.
 13. Method according to claim 1, characterized in that the initiated key exchange protocol is a Diffie-Hellman key exchange.
 14. Method according to claim 2, characterized in that the first node (B) stores a list of the sent keys (K_(i)).
 15. Method according to claim 2, characterized in that the encryption of the packets (P_(i)) with the second keys (k_(i)) is an encryption that can easily be broken.
 16. Method according to claim 3, characterized in that the encryption of the packets (P_(i)) with the second keys (k_(i)) is an encryption that can easily be broken.
 17. Method according to claim 4, characterized in that the encryption of the packets (P_(i)) with the second keys (k_(i)) is an encryption that can easily be broken.
 18. Method according to claim 5, characterized in that the encryption of the packets (P_(i)) with the second keys (k_(i)) is an encryption that can easily be broken.
 19. Method according to claim 2, characterized in that the length of the second keys (k_(i)) is set according to the respective security requirements.
 20. Method according to claim 3, characterized in that the length of the second keys (k_(i)) is set according to the respective security requirements. 